SCCM Internet Based Client Management

The goal of this post is to describe the steps needed to implement SCCM Internet-based client management. With the increasing client working from home, this solution would allow you to manage your client on the internet. The other option would be to install a cloud management gateway (CMG)

Download the step-by-step guide in the download section or directly here. For now on, this blog post won’t be updated. Only the document will be.

In this scenario, SCCM 2012 R2 is installed as a stand-alone primary site. For security reasons, a second site server will be installed in the DMZ to respond to internet clients’ requests. Internet clients are laptops and tablets that are sometimes on the intranet (work network) and some time on the internet.

Assumption :

Your primary site server is up and running
Site server is installed in the DMZ
Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers
Your organisation has a certificate server
You have a client on the internet for testing purposes

Grab a cup of coffee and here we go !

High level steps :

Create the needed cerificate
Issue the certificate on the new machine
GPO creation for client Auto-Enrollment
Add the Management Point role and the distribution point role to the new machine
Test the setup on an internet client

1.1. Overview

The following table lists the types of PKI certificates that is required for System Center 2012 Configuration Manager and describes how they are used.

Certificate Requirement	Certificate Description
Web server certificate for site systems that run IIS	This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS. This certificate will be installed on any site servers with the Management Point and/or Distribution Point Roles. It is used to encrypt data and authenticate clients. Configure this in IIS.
Client certificate for Windows computers	This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.
Client certificate for distribution points	This certificate has two purposes: The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages. When the Enable PXE support for clients’ distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

1.2. Certificate Creation

WEB SERVER (IIS) CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 site systems

To create and issue the Web server certificate template on the certification authority

Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
RDP to an Intermediate CA
Open Certification Authority console, right-click Certificate Templates and click Manage
Right click Web Server and click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.Do not select Windows 2008 Server, Enterprise Edition.
In the Properties, name this “ConfigMgr 2012 IIS Certificate“
Set the Validity Period to 5 years
Click the Subject Name tab, select the Supply in the request radio button.
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
Click Add, enter “SCCM_SiteServer” in the text box, and then click OK.
Select the Enroll permission for this group, and do not clear the Read permission.
Click OK, and close the Certificate Templates Console.

DISTRIBUTION POINT SITE SERVER CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 Distribution Points.

Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
RDP to an Intermediate CA
Open Certification Authority console, right-click Certificate Templates and click Manage
Right click Workstation Authentication and click Duplicate Template.
Rename the template “ConfigMgr 2012 Client Distribution Point Certificate“
Set the Validity Period to 5 years
On the Request Handling tab select Allow private key to be exported.
On the Security tab add the “SCCM_SiteServer” group, and give the server Enroll permission. Click Apply, then OK.
Now if you look at the Certificate Templates Console you will see our three new templates.

CLIENT CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 clients

RDP to an Intermediate CA
Open Certification Authority console, right-click Certificate Templates and click Manage
Right click Workstation Authentication and click Duplicate Template.
Make sure to use Server 2003, not 2008
In the Properties, name this “ConfigMgr 2012 Client Certificate“.
Set the Validity Period to 5 years
Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK.
When you refresh your console, you will see that the new template is there.

sccm 2012 internet based client management

1.3. Issuing the 3 certificates

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the 3 new template you have just created :
ConfigMgr 2012 Client Certificate
ConfigMgr 2012 IIS Certificate
ConfigMgr 2012 Client Distribution Point Certificate
Click OK
They will then show up in the Certificate Templates listing
Close Certification Authority.

1.4. Auto-Enroll GPO

Launch Group Policy Management on your Domain (Start – Administrative Tools – Group Policy Management).
Right-click your Laptop OU and select “Create a GPO in this domain, and Link it here…“
Name your GPO I named my policy “AutoEnroll ConfigMgr Client Cert“, then click OK.

Edit your newly created GPO. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties.

Change the Configuration Model: to Enabled, check the Update certificates that use certificate templates and select Renew expired certificates, update pending certificates. Then click Apply and OK.

Reboot a workstation and when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.

1.5. Distribution Point

REQUEST DISTRIBUTION POINT CERTIFICATE

The same certificate can be used on all DPs. So you only need to do the following steps on the internet facing DP.

Reboot your SCCM Site server.
This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.
Once the reboot completes, RDP to your DP server
Start > Run. Type mmc.exe and click OK
Click File > Add/Remove Snap-In… Choose Certificates and click Add
Choose Computer Account, click Next, Choose Local Computer, click Finish
Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
Click All Tasks > Request New Certificate…
You are presented with the Certificate Enrollment wizard.
Click Next.
Leave the default here, and click Next
At the Request Certificates part of the wizard, check the ConfigMgr Client Distribution Point Certificate.
Click Enroll and then finish once the enrollment is successful.
Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console.
Right-click the certificate and select All Tasks > Export
Click Next at the Welcome Screen of the export wizard. Then on the Export Private Key page change this to YES then click Next.
Next, select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.
Set a password (15 car.) and document it
Save the file as SCCM DP Certificate to a network location
The reason for this export is that we will later be importing this certificate into SCCM DP and we need to do so in pkcs12 format, with a password protected private key included.

1.6. Management Point

REQUEST CM2012 IIS CERTIFICATE

This shall be done on the Management point that will handle internet client requests.

Start > Run. Type mmc.exe and click OK
Click File > Add/Remove Snap-In… Choose Certificates and click Add
Choose Computer Account, click Next, Choose Local Computer, click Finish
Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
Click All Tasks > Request New Certificate…
You are presented with the Certificate Enrollment wizard.
Click Next.
Leave the default here, and click Next
At the Request Certificates part of the wizard, check the ConfigMgr 2012 IIS Certificate.
You will notice that under the Web cert, a prompt that says, “More information is required to enroll for this certificate. Click here to configure settings”
Click the link and setup your Certificate Properties.
For Subject name, select Common name and use the server name as the common name.
For Alternative name, select DNS and use the server name as well as its FQDN as DNS.
In General tab, use the server name as the friendly name.
In Certification Authority tab, select only your regional CA.
Click Add and then OK.
Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
Click Enroll and then finish once the enrollment is successful.

ASSIGN THE WEB (IIS) CERTIFICATE TO IIS

This shall be done on the Management point that will handle internet client requests.

Launch IIS Manager
Navigate to the Default Website
Right-click it and select Edit Bindings
Add https binding and click Edit
Select the certificate with your server name, and then click OK.

1.7. Add the new site system in SCCM

Ensure that all your certificate actions are done before adding the roles.

PREREQUISITES

RDP to your DMZ Site server
Add the following prerequisites in Server Features

Management Point

.NET Framework 3.5 SP1

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Distribution Point

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Remote Differential Compression

ROLES INSTALLATION

Open the SCCM console
Administration / Servers and site system role
Create site system server
Specify the new site server name and specify the internet FQDN
Select the DP and MP role
Configure the ConfigMgr Client Distribution Point certificate (the .PFX created in previous section) supply the password and OK.
Choose HTTPS and “Allow Internet-Only connections”

In the Management point section
Choose HTTPS and “Allow Internet-Only connections”

1.8. Change SCCM client communication settings

This shall be done on each of primary site server

Go to Administration –> Sites –> Right click and choose properties
Go to client computer communication –> Choose use HTTPS or HTTP
Check the “Use PKI client certificate when available” checkbox
Import the Root CA certificate in the bottom menu

1.8.Client installation

Client push is not supported on the internet. The client must be installed on your network before it can go on the internet.

The logic behind this is that the client will first try to communicate with the intranet MP, if sucessful the client will show “Currently Intranet”. If it fail, it will try to reach the internet MP and shows “Currently Internet”. When the laptop will be back at the office, it will return to the intranet MP. The evaluation is done when the computer gets its IP address.

You have different option to do so :

You can manually add the new MP FQDN in the “Network” tab of the client properties
You can include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the Internet-based management point> when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment.
Configure clients for Internet-based client management after client installation by using a script

——-start of script————–
on error resume next

‘ Create variables.
Dim newInternetBasedManagementPointFQDN
Dim client

newInternetBasedManagementPointFQDN = “mp.yourorganisation.com”

‘ Create the client COM object.
Set client = CreateObject (“Microsoft.SMS.Client”)

‘ Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method.
client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN

‘ Clear variables.
Set client = Nothing
Set internetBasedManagementPointFQDN = Nothing

——-end of script————–

***Replace mp.yourorganisation.com with the Internet FQDN of your Internet-based management point.

1.9 Test your clients

After installing a client on internet make sure that you are using HTTPS by looking at the “Connection Type” is Internet
You can also review the ClientLocation.log and datatransfer.log to ensure that your new MP is used

That was intense… Until next time !

See this Technet blog post to fix common issues : Here

Client IBCM internet SCCM 2012

Comments (52)

Visan

01.13.2016 AT 08:27 AM

Hi Benoit, I have followed your guide and deployed an internet based MP and DP on a DMZ server that is joined to the same domain as that of the primary server. i have the certificates in place as well. All seems well but the setup does not respond to the browser tests (http://sms_mp/.sms_aut?mplist). Could you suggest any remedy for this.

Hide replies

0 0

Oscar Gutiérrez

12.22.2015 AT 10:37 AM

Hi, I already purchased your guide, was very useful. Can you issue an Invoice for my company? tnks

Paul

12.04.2015 AT 03:30 PM

Thanks for the guide! I have downloaded and followed your tutorial and I'm confused on a one of the parts. During step 3.2 I go through the installation of the MP and DP. After selecting Distribution Point and Management Point it looks like you're missing some steps. It goes to configure the Client DP Certificate and then straight to the Management Point settings. What do I set for the Distribution Point Settings? I see options to "Install and configure IIS if required by Configuration Manager" and Enable and configure BranchCache for the distribution point. Do I not choose any of these options? You screen shot does not what I see in the wizard. Also what about the Drive Settings, Pull Distribution Point, Content Validation Boundary Groups, Management Point, and Management Point Database Settings? You're guide doesn't say to skip these nor does it say configure these. Can you clarify if these settings are skipped? Thanks again.

Troy

12.01.2015 AT 08:47 PM

I'm in the process of attempting to setup an IBDP. SCCM 2012 R2 is fully stood up in my environment. My question is would I have to set up the primary site server as the IBDP (I hope not) or would I have to set up a new server with the MP and DP. And if I do need setup a new server with these 2 roles, would I need to setup a boundary group like the Internal Distribution Points?

1 0

Benoit Lecours

12.02.2015 AT 08:40 AM

Yes, you need to add a new site server. Use the boundary group to limit your internet clients to your internet facing DP.

Zach

11.19.2015 AT 09:09 AM

I'm not sure what cer to import for my Trusted Root CA on my Primary site properties on your last steps. When i click set i have no options to pick from. Great article by the way, just need a little help with this last step.

3 0

Chabs

04.09.2018 AT 01:01 AM

Same- many steps are missed in 1.7

Chris

01.09.2017 AT 03:13 PM

I am in the same boat.

Jeff B.

07.18.2016 AT 12:05 PM

Ever figure which cert this is supposed to be?

Pushkar Singh

10.26.2015 AT 11:40 PM

Hi Benoit, As mentioned in above guide we can go for installing secondry site with mp and dp installed for managing Internet clients. If i want to have local SUP for my internet client then i could not go for installing secondry sites so in that case should i have one primary site installed for managing internal clients and other for internet client. Please suggest

10.30.2015 AT 09:09 AM

Hi Pushar, I won't install Secondary or Primary site at all. Just deploy a site server in your DMZ with the SUP role and make sure that all the certificates are issued to the client using the guide.

Pingback: http://joshheffner.com/considerations-when-deploying-ibcm-for-configuration-manager-and-all-the-best-links/

Mike

07.14.2015 AT 06:59 AM

Thank you for the documentation. My question is how does the client on the internet get the Sccm client installed, if they are not connected VPN?

superior ins

05.17.2017 AT 09:33 AM

All tangled up in race and religious bigotry. "They" can't stand it any more than they can stand that Harvard-educated smart dude who sits in the White House. I wish they'd give it up but it's slow to go.

nyc id movie discounts

03.30.2017 AT 01:10 PM

I love that green dress, you sewing minx, you. It's beautiful. I have a soft spot for vintage glasses. I've got a small pile and need to choose a couple of pairs to get my lenses put into.xxx

http://www.thacommittee.com/

02.22.2017 AT 03:40 AM

Yeah that's what I'm talking about baby--nice work!

Mike Givens

07.13.2015 AT 08:47 AM

First of all, I want to thank you for your blog and your documentation is very thorough. My question is how do the internet based clients connect to the internet MP in order to get the client installed. For example, do they connect VPN? Please advise thanks.

07.13.2015 AT 09:30 AM

As describe in section - 1.8. Client installation, the client must be installed on your network before it can go on the internet. You can install your clients when the machine are on the VPN without problem as long as the VPN IP range is in the site assignment boundary.

Snoopy

07.07.2015 AT 07:39 PM

Hi Ben, Thanks a lot and Cant thank u enuf for this awesome guide and thank u once again for taking time off to put this article down here.

David

01.06.2015 AT 07:40 PM

Thanks for the article Benoit, might be worth while specifying "In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Do not select Windows 2008 Server, Enterprise Edition." when going through how to create the remaining templates as they all need to be Windows 2003 Server. Cheers, David

01.07.2015 AT 10:02 AM

Exellent point, thanks for pointing that out.

ravinder

07.02.2014 AT 12:22 PM

Its a wonderful link really! Great info. Can you also help me in conveying the requiremtn to the CA Admin. We have internal CA authority not public SSL. Will that work?

07.02.2014 AT 05:04 PM

I'm not sure to understand your question. The certificate used in the procedure is from a CA authority, not from a public provider.

2 0

07.03.2014 AT 07:42 AM

Another good point raised by someone in a blog is about the requirement of Root certificate/Root certificate chain for IBCM

07.03.2014 AT 07:30 AM

Got you. I am little confused on whether SUP should be installed with MP and DP on the DMZ Site system. We do not have any special requirement just want internet machines to be able to get patches. Also from ports perspective, I have listed down following requirements: Following Ports needs to be opened in the Firewall b/w Work Network & DMZ DMZ Site Server to DB – 1433(Bi-directional) DMZ Site Server to Primary Site Server – TCP 445(bi-directional Primary to DMZ Site Server RPC Endpoint mapper – 135(UDP & TCP) (bi-directional) DMZ Site Server to SUP – 80 & 443 TCP Primary to DMZ Site Server – RPC dynamic TCP Ports Primary to DMZ site Server RDP – TCP 3389 uni-directional Allowed traffic from internet to communicate with DP/MP/SUP (443 Bi-directional) Active Directory and Certificate Services Ports required communicating DMZ Server and DNS Ports as per company DMZ policy Am I missing something.

selimatmaca

05.11.2014 AT 07:41 PM

Hi Benoit, You might remember me! I asked a question on Technet Forums about PKI and you suggested to read your article. http://social.technet.microsoft.com/Forums/en-US/171988f6-52db-45ae-b769-325010515f0e/internet-based-client-communication-can-not-be-established?forum=configmanagerdeployment After reading this article I figured out that I only chose to allow intranet communication only. After changing it to Intranet and Internet. It started working from Internet too. 🙂 Thanks a million for this great article.

05.12.2014 AT 12:59 PM

Thanks for the feedback ! 🙂

Bogdan

03.20.2014 AT 09:41 AM

Hello guys, awesome tutorial, thank you. I have a question, these steps are also applying for an untrusted forest infrastructure ? I`m trying to install the SCCM client and I receive the following error: "Failed to receive ccm message response. Status code = 403; GetDPLocations failed with error 0x80004005; Failed to get DP locations as the expected version from MP 'https://SCCMServer. Error 0x80004005" Any thoughts ? Regards.

05.14.2014 AT 06:53 PM

Hi Bogdan, What's your installation methods ? What's your installation properties ? Can you browse your DP using http ? http:///sms_mp/.sms_aut?mplist

Back
1
2
Next

SCCM Internet Based Client Management

Table of Content

Share

Assumption :

High level steps :

Share